cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
456
Views
0
Helpful
11
Replies

General ACL question

qbakies11
Level 1
Level 1

Can some one explain or point me to an explanation on how to determine whether an ACL should be placed inbound or outbound on an interface? I seem to be having trouble trying to grasp the concept of an interface being either inbound or outbound when traffic passes through it both ways.

1 Accepted Solution

Accepted Solutions

Unfortunately no it's not correct but i think youve hit on a key point which may be a better way to explain it

It is not about going through the router rather it's in relation to each router interface.

So if you look at your diagram from a router interface persepctive, lets take fa0/0

inbound means traffic going into that interface towards the router.

outbound means traffic going out of that interface away from the router.

Remember inbound/outbound are in relation to the interface on the router not the clients on subnet A and B.

So either flick the arrows around or the Outbound/Inbound tags and your diagram is correct.

Jon

View solution in original post

11 Replies 11

keeleym
Level 5
Level 5

Hi There

Take the scenario where you have a routers eth0/0 interface connected to a switch on which there are one or more vlans configured. The routers GE0/0 interface connects to the Internet.

If you write an ACL on the router which is preventing access TO any of the systems connected to the switch from systems on the internet, then you would use an Inbound ACL.

If you write an ACL on the router which is preventing systems connected to the switch FROM getting to any other systems on the internet, then you would use an Outbound ACL.

I hope that helps.

Best Regards,

Michael

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Think of it like this.

Traffic entering the interface is inbound.

Traffic leaving the interface is outbound.

Whether you place it inbound or outbound depends entirely on what you are trying to achieve eg.

1) You want to filter traffic from one vlan/subnet eg vlan 10 going to a lot of other vlans subnets. You have two choices

i) you could have an outbound access-list on every vlan interface that denies traffic from vlan 10

or

ii) you could have an inbound access-list on vlan 10 interface that denies traffic to the other vlans.

Option ii) would be the one to go with. Not only does it mean that you only have to use one access-list, it also reduces traffic on the network because the packets are stopped as close to the source as possible.

2) The opposite of 1) ie. you want to filter traffic going to one vlan, again in this example we will use vlan 10.

So you have 2 choices again

i) Apply inbound access-list on every vlan interface that you want to filter traffic to vlan 10

or

ii) Apply one outbound access-list on vlan 10 to filter the traffic.

Obviously traffic from the other vlans will still have to go across the network so you need to decide which is more important, a lot of access-lists or miore network traffic.

Jon

Your first example of:

---------------------------------------

1) You want to filter traffic from one vlan/subnet eg vlan 10 going to a lot of other vlans subnets. You have two choices

i) you could have an outbound access-list on every vlan interface that denies traffic from vlan 10

or

ii) you could have an inbound access-list on vlan 10 interface that denies traffic to the other vlans.

Option ii) would be the one to go with. Not only does it mean that you only have to use one access-list, it also reduces traffic on the network because the packets are stopped as close to the source as possible.

---------------------------------------

That seems backwards to me. If you are trying to stop traffic from vlan10 getting to other subnets wouldn't you place an outbound ACL on the vlan10 interface since you are trying to filter the traffic going out(leaving)of that interface?

Hi

Okay, i may have confused you a little by using vlans but the principle is the same.

Traffic going out of the vlan 10 interface is traffic that is going TO machines on vlan 10.

Traffic coming into the vlan 10 interface is traffic FROM machines on vlan 10.

That is why i used the interface statements in my original post ie.

Traffic going into an interface is inbound

Traffic going out of an interface is outbound.

Hope this makes sense

Jon

That still seems backwards to me. I sketched a very simple diagram on the attachment to get a visual. So if I wanted to only let www traffic for SubnetA to SubnetB I would place an outbound ACL on F0/0 because the traffic is going from SubnetA OUT F0/0 and IN F0/1 to SubnetB. Correct?

Hi

I apologise as i don't seem to be explaining this very well. Okay, assuming that your example means clients on subnet A connecting to a web server on subnet B

If you only want to allow www traffic to subnet B from subnet A then you could either

i) apply an acl inbound on the interface connecting to subnet A ie. fa0/0. Traffic going into fa0/0 interface is traffic coming from subnet A.

ii) apply an acl outbound on interface connecting to subnet B ie. fa0/1. Traffic going out of interface fa0/1 is traffic going to subnet B.

If you apply an acl outbound on the fa0/0 interface then that acl would filter traffic going to machines in subnet A. Where the confusion is coming from is the terminology ie.

"I would place an outbound ACL on F0/0 because the traffic is going from SubnetA OUT F0/0 and IN F0/1 to SubnetB"

I would rewrite this

I would place an inbound acl on fa0/0 because the traffic is coming from subnet A into interface fa0/0 and then going out of interface fa0/1 to machines in subnet B.

Jon

Sorry, forgot the attachment, please see post below...

Alright I think I understand now. I was thinking of traffic passing through the router as the point of inbound outbound but it's actually the traffic attached to each interface. Just to clarify I labeled the attachment with inbound and outbound traffic. Is it correct?

Unfortunately no it's not correct but i think youve hit on a key point which may be a better way to explain it

It is not about going through the router rather it's in relation to each router interface.

So if you look at your diagram from a router interface persepctive, lets take fa0/0

inbound means traffic going into that interface towards the router.

outbound means traffic going out of that interface away from the router.

Remember inbound/outbound are in relation to the interface on the router not the clients on subnet A and B.

So either flick the arrows around or the Outbound/Inbound tags and your diagram is correct.

Jon

Thank you very much for your patience and detailed explanations. Now I'm good to go start locking down my users! :D

No problem, glad to help and appreciate the rating.

Go easy on the users :)

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco